Neasa Ni Ghrada

The General Data Protection Regulation (GDPR) will automatically come into force across the EU on 25 May 2018. As the deadline fast approaches, Member States are busy progressing their draft implementing legislation. Article 23 of the GDPR provides Member States with discretion over how certain provisions will apply. These proposed derogations to the GDPR have been a focus point for many commentators on the draft national legislation.

Article 23

Under Article 23, Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the measure respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. The measure must safeguard one of the following:

national security;

defence;

public security;

the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or breaches of ethics in regulated professions;

other important public interests, in particular economic or financial interests (e.g. budgetary and taxation matters, public health and security);

the protection of judicial independence and proceedings;

monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;

the protection of the individual, or the rights and freedoms of others; or

the enforcement of civil law matters.

Chapter IX of the GDPR provides Member States with further exemptions, derogations, conditions or rules in relation to specific processing activities.

UK Call for Views on the GDPR

Earlier this year, the UK’s Department for Digital Culture, Media and Sport (DCMS) opened a public “call for views” as part of its implementation process. All stakeholders with an interest in data protection were encouraged to share views on any and all derogations in the UK Data Protection Bill.

Following the end of the call for views, the DCMS published its Statement of Intent and outlined its approach to the Data Protection Bill. The document (available here) emphasises the UK Government’s desire to continue its “gold standard” of data protection law. It states that the GDPR will be implemented in a way that, as far as possible, preserves the concepts of the UK’s Data Protection Act 1998 and ensures a smooth transition post Brexit, while complying with the GDPR and other applicable directives.

The DCMS has also provided a detailed summary of the proposed GDPR derogations in the Data Protection Bill (available here). The summary usefully sets out the derogations in the GDPR, the relevant GDPR article, and the reason for the UK deviating from the default position, where applicable.

It is reported that the Bill will be published in early September 2017.

The European Commission (EC) has opened an online public consultation on the targeted revision of EU consumer law (the Consultation). The Consultation follows the EC’s publication of the results of its Fitness Check on consumer and marketing law and of the evaluation of the Consumer Rights Directive (Directive 2011/83/EU) (the CRD).

Background

Both the Consultation and the Fitness Check form part of the EC’s Regulatory Fitness and Performance (REFIT) programme, which aims to make EU law simpler, less costly and identify any inconsistencies and/or obsolete measures which may have appeared over time.

The Fitness Check carried out a comprehensive evaluation of six directives:

– the Unfair Commercial Practices Directive 2005/29/EC;

– the Unfair Contract Terms Directive 93/13/EEC;

– the Price Indication Directive 98/6/EC;

– the Consumer Sales and Guarantees Directive 1999/44/EC;

– the Injunctions Directive 2009/22/EC; and

– the Misleading and Comparative Advertising Directive 2006/114/EC.

In late May, the EC published its findings of its analysis of these six directives and its separate parallel review of the CRD. In brief, the EC found that “[t]he evaluations confirm that in general consumer law remains fit for purpose.” It did identify, however, the need to improve awareness, enforcement of the rules and redress opportunities to make the best of the existing legislation. It also stated that targeted legislative changes to address certain identified shortcomings of the directives could be beneficial.

Free Online/Digital Services

One of the shortcomings that the EC identified is that the CRD does not currently apply to the provision of ‘free’ online/digital services. ‘Free’ in this context means that the consumer does not pay with money for the service but instead provides data. Examples of this are cloud storage, social media or webmail, where the main contractual obligation of the trader is not to provide digital content but rather a service allowing the creation, processing, storing or sharing of data that is produced by the consumer.

The EC has stated that it will examine extending the scope of the CRD to include such contracts for ‘free’ digital services. This would extend traders’ pre-contractual information requirements and consumers’ 14 days right of withdrawal to any digital services. This singling out of the providers of ‘free’ digital services, demonstrates the EC’s continued focus on the digital economy and protecting consumers rights online.

The Consultation offers all citizens and organisations the opportunity to have their say on this matter along with other consumer law matters such as banning doorstop selling and better individual remedies for consumers harmed by unfair commercial practices including misleading “green” claims.

Timing

The Consultation will run for 14 weeks (June – October 2017). Click here for more details.

The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to Newcastle was “ram-packed”. The footage shows Mr Corbyn walking past empty seats.

Following its investigation, the ICO found that Virgin had a “legitimate interest” to release the footage of Mr Corbyn: “namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”. The ICO acknowledged that Virgin could not have achieved this without publishing Mr Corbyn’s image.

The ICO did find, however, that Virgin breached the law when it published images of other passengers on the same service. It stated that Virgin should have taken better care to obscure the faces of other passengers on the train. Publication of their images was unfair and a breach of the first principle of the UK Data Protection Act that personal data shall be processed fairly and lawfully.

The ICO stopped short of formal regulatory action against Virgin to reflect “the exceptional circumstances of the breach”. It noted that it was “a one-off incident, and the people identified were unlikely to suffer serious distress or detriment”. However, the ICO did stress that Virgin “has not been let off the hook” and will strengthen its data protection training and policies and ensure it has easy access to pixelation services should the need arise again.

The Office of the Data Protection Commissioner (the ODPC) has released a guidance note on connected toys (the Guidance Note). The Guidance Note highlights the possible data protection issues that might occur when children and parents use toys with microphones and cameras that have an ability to connect to the internet.

The ODPC warns of certain potential issues with the personification of connected toys, in particular dolls. Some of these toys provide an interactive experience by reacting to selected words. This may give the impression of an emotional response to what the child says or does. In some instances, these toys are enabled to collect and record these “conversations” between the child and the connected toy on apps, smartphones or tablets. The ODPC cautions that some of these connected toys’ terms and conditions allow these potentially sensitive recordings to be shared with other companies and used for the basis of targeted advertising.

On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI’s previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm’s general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.

Following the Brexit Referendum and the uncertainty now surrounding the future of data flows between the UK and the remaining EEA States, the UK Information Commissioner’s Office has published an update on its blog: “GDPR still relevant for the UK“. The update emphasises the importance of the GDPR to many organisations in the UK and notes:

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary.”

For further guidance and analysis on the impact of Brexit for businesses and investors in both Ireland and Northern Ireland, please see our website here.

The Office of the Data Protection Commissioner (ODPC) has contacted Dublin City Council in relation to its data protection concerns surrounding the City Council’s new anti-litter poster initiative. As part of the initiative the City Council had erected a billboard in the north inner city featuring CCTV images of 12 people who appear to be engaging in illegal dumping around the Amiens Street-Five Lamps area. Although the faces were slightly blurred due to the quality of the CCTV footage, the City Council stated that the people would be able to identify themselves from the images, as most likely would their neighbours.

Due to the personal data element of the CCTV images, it is reported that the ODPC has been in contact with the City Council to advise them that the processing of personal data must be done fairly and proportionally and must not be overly prejudicial to a person’s right to privacy.

In advance of the forthcoming Dáil elections, the Office of the Data Protection Commissioner (ODPC) has issued guidance to candidates for election and their representatives on canvassing, data protection and electronic marketing (the Guidance). Publication of the Guidance follows the ODPC’s previous efforts to boost awareness of individuals’ privacy rights in this area (see previous blog here).

The Guidance includes an overview of the provisions in relation to unsolicited marketing and cookie use as contained in the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. 336 of 2011). It also emphasises the use of clear and prominent Privacy Statements on websites and data base compliance with the 8 Data Protection Principles.

Every year, the Department of the Environment, Community and Local Government encourages individuals to register to vote or to check that their details are up to date on the Electoral Register in advance of the 25 November deadline. In line with publicising such rights, the ODPC wishes to draw attention to the Edited Electoral Register and how it relates to direct marketing.

On 14 September 2015, Minister of State for International Financial Services Simon Harris TD launched the FPAI, a new trade association founded to further the interests of stakeholders involved in the rapidly evolving Irish FinTech sector.